Hello:

I always thought that whenever /usr/sbin/setsebool was used, it would write either a "0" or a "1" into the corresponding boolean file. All SELinux boolean files are in /selinux/booleans but If I check, for example, this boolean ...

$ sudo /usr/sbin/getsebool ftp_home_dir
ftp_home_dir --> on

It returns a positive, but if I do

$ sudo less /selinux/booleans/ftp_home_dir

I get ...
read error (Press Return)

Furthermore, if I list the boolean file itself, it shows it to be empty
$ sudo ls -l /selinux/booleans/ftp_home_dir
-rw-r--r-- 1 root root 0 Aug 9 11:09 /selinux/booleans/ftp_home_dir

Where is SELinux storing the booleans then?

This is on CentOS 5.4

/selinux is a looking glass into the current state of affairs, akin to /proc or /sys.

The booleans are stored in the on-disk policy located under /etc/selinux/; more specifically /etc/selinux/targeted/policy/.

If you run setsebool without the -P option it only modifies the entry in /selinux/boolean/<name> and does not rebuild the on-disk policy so the setting will not persist a reboot. If you run an strace on it, you can see it open, for example, ftp_home_dir, write the value (0 or 1), then close; it also updates /selinux/commit_pending_bools. Whereas when using the -P, it opens, reads, (compiles,) writes each module in /etc/selinux/, rebuilds the on-disk policy, and then sets each boolean value in /selinux/booleans/ from the just compiled policy.

I see ...
$ cat /selinux/booleans/ftp_home_dir
shows current state and "persistent" state of this boolean

For others reading this thread go here for more details
http://flylib.com/books/en/2.803.1.68/2/